CVE-2009-2076

Name of the Vulnerable Software and Affected Versions Drupal Views module versions prior to 6.x-2.6

Description A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via exposed filters in the Views UI administrative interface and the view name parameter in the define custom views feature. The latter vector is only exploitable by users with administer views permissions.

Recommendations For versions prior to 6.x-2.6, update to version 6.x-2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Views UI administrative interface and define custom views feature to minimize the risk of exploitation. Avoid using the view name parameter in the define custom views feature until the issue is resolved.